If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

News Article: Vulnerabilities Becoming More Common

Security experts are warning that exploits are becoming more common and more dangerous as they begin to affect security products as well as non-Microsoft software.
The deluge of new vulnerabilities has forced security research group SANS to change its annual 'Top 20 Internet Security Vulnerabilities' list to a quarterly update. (As reported in SC Magazine here).

"Threats are evolving faster than ever this year," said Gerhard Eschelbeck, CTO of Qualys. "We've had a mix of new vulnerabilities this year. Everyone has anti-virus and now even that is affected."

More than 600 internet security vulnerabilities have emerged in the first quarter of 2005. In the early part of 2005 a trend for non-Microsoft (the traditional home of many) vulnerabilities has emerged. Holes in Apple's iTunes, CA licensing software and some anti-virus products have added to the scale of the list.

To qualify for the new quarterly list, vulnerabilities must meet five requirements.

(1) They affect a large number of users.
(2) They have not been patched on a substantial number of systems.
(3) They allow computers to be taken over by a remote, unauthorized user.
(4) Sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them.
(5) They were discovered or first patched during the first three months of 2005.

LDAP – the heart of the secure organization
by Ken Watt
Single sign-on (SSO) has long been a holy grail for security teams in large complex organizations. But the obstacles in the way of its universal deployment have so far proved to be too great - in particular the challenge of interfacing and synchronizing data held in the various directories that larger companies typically deploy.

These proprietary directories have traditionally been built around individual applications, which creates problems for anyone attempting to standardize or centralize user and application credentials.

But things are looking up. The accelerating adoption of LDAP (Lightweight Directory Access Protocol is finally offering hope to beleaguered security managers who have been seeking to integrate multiple enterprise directories - and so facilitating SSO.

Deploying LDAP across an entire organization can have significant benefits. Firstly, the problem of co-ordinating core directory data is solved. Users are given standardized access permissions that are defined by their role within the company. Authentication credentials can then be maintained centrally and referenced by a whole host of platforms and applications.

In terms of security, the gains are enormous.

Centralized and standardized administration enables effective management of user accounts across all platforms and applications. These can be easily updated throughout the employee's time at the company. Authorization processes and profiles can be managed and audited centrally, meaning that anomalies and abuses are identified more easily.

Uniform authentication parameters can also be set. These can be matched against stronger credentials, like tokens, where necessary. Finally, monitoring is simplified so that any potential security incidents can easily be spotted and dealt with.

But effective LDAP integration goes beyond centralising the three As of security; it can enhance the power of all networked applications. Single changes can be replicated across all directories and applications, which is far more efficient for both administrators and users. Users can also authenticate themselves with a single secure credential, which is far less prone to failure than a plethora of passwords and IDs.

However if LDAP represents network nirvana, there is still some work ahead before we reach this particular paradise. Although there are growing numbers of enterprises that have embraced LDAP successfully, there are many others that are still wrestling with a multitude of platforms, applications and databases that don't offer an easy route to integration and standardization. Before we give in to the hype, we need to consider the practicalities.

Take the example of a company with a significant Microsoft desktop and server community, many of which were running older operating systems that weren't LDAP compliant. Much of the desktop hardware was not up to running Windows 2000 or XP, in addition to a small but significant use of Apple Macs.

Furthermore, the server mix included Windows, multiple flavors of UNIX and AS/400 thrown in for good measure. Core business applications were a combination of commercial off-the-shelf and home-grown products, with little LDAP awareness in either. Lotus Notes was used for email, PeopleSoft for HR: each with its own directory.

A company such as this, which is not unusual, faces a number of choices when moving to an LDAP compliant system, with pros and cons on each side.

The first option is a heterogeneous Microsoft environment, using MS's Active Directory at the core with its Identity Integration Server (MIIS) as a 'Meta Directory' add-on that integrates different directories. There may be cost advantages to following this route, but it doesn't necessarily cover all users and certainly not all servers and applications. It also remains an internally proprietary platform despite its external LDAP interface.

The basic alternative is a core directory, external to Microsoft, with native LDAP integration and custom scripted connectors where required. A commercial LDAP directory, such as iPlanet, brings the advantage of supplier integration and support but at significant additional cost. On the other hand, open source-based LDAP has clear cost advantages but could leave organizations exposed in terms of support.

Introducing LDAP therefore is not a quick fix for the issues arising from obsolete platforms, bespoke applications, incompatibility and variety. It can however deliver benefits for the long term.

The good news is that there are many examples of organizations doing this very successfully. It requires vision, determination, a degree of patience and certainly a sound dose of pragmatism. But the work is worth it. The results where integration is achieved successfully can be startling.

LDAP has already made its mark and will eventually become ubiquitous. It will, however, take more time before non-compliant legacy applications disappear completely. In the meantime, organizations should identify the strategy that offers them the most effective route to directory integration over the shortest possible time, balancing the pros and cons of the various open and proprietary offerings.

The author is Consultancy Director, INSL

Now people may read these type of articles and say "Ah-duh" and ROFL, however it could be argued that if more managerial types read these type of articles, it may be easier to push through security measures and to be able to acquire a security budget. Kind of like "impress your manager friends on the golf course with the knowledge you have of security vulnerabilities and LDAP!"